Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9790

Support for X-Accel-Redirect and X-Sendfile headers for attachment downloads

    Details

    • Type: New Feature
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.1.0-a1
    • Component/s: Other
    • Labels:
      None
    • Environment:
      nginx 0.7.67

      Description

      nginx doesn't support X-Sendfile, but something similar called X-Accel-Redirect. I believe this feature would be beneficial to nginx users, as the webserver excels at serving static content.

      Altering the X-Sendfile support at lines 458-461 of download/file.php to

                      if (strpos($upload_dir, '/') !== 0 && strpos($upload_dir, '../') === false)
                      {
                              header('X-Accel-Redirect: ' . $filename);
                      }
      

      is all which is required to send the header to nginx for processing. However, nginx will return a 404 as this sends what it calls an "unsafe URI". As an example, when altering download/file.php to match the above, a request for an attachment will return a 404 with the following entry in nginx's error log:
      unsafe URI "./../files/2_d2b0982cf8938dae68840465cf6045da" was detected while reading response header from upstream

      If the path sent to nginx isn't relative, but absolute to phpBB3's root, e.g. files/2_d2b0982cf8938dae68840465cf6045da then nginx will process the request.

        Activity

        Hide
        igorw Igor Wiedler [X] (Inactive) added a comment -

        You are right.

        I did a little research and could not find a way to detect if X-Sendfile is in use. You can check if the apache module is loaded, but not if it will actually be used. I could not find anything similar for X-Accel-Redirect.

        The best way to do this would be to add a config setting to the ACP. Or to not further clutter the ACP, Andreas suggested a PHPBB_ENABLE_XSENDFILE constant for config.php.

        If we are able to detect the webserver in use and the loaded modules, we can show a warning on the ACP index in case the setting is enabled but the server does not support it.

        Show
        igorw Igor Wiedler [X] (Inactive) added a comment - You are right. I did a little research and could not find a way to detect if X-Sendfile is in use. You can check if the apache module is loaded, but not if it will actually be used. I could not find anything similar for X-Accel-Redirect. The best way to do this would be to add a config setting to the ACP. Or to not further clutter the ACP, Andreas suggested a PHPBB_ENABLE_XSENDFILE constant for config.php. If we are able to detect the webserver in use and the loaded modules, we can show a warning on the ACP index in case the setting is enabled but the server does not support it.
        Hide
        koios koios added a comment -

        I don't know about Apache and X-Sendfile, but if nginx is compiled with the FastCGI or Proxy modules (requisite if it's to be used with a PHP application such as phpBB) then X-Accel-Redirect is supported out of the box.

        Show
        koios koios added a comment - I don't know about Apache and X-Sendfile, but if nginx is compiled with the FastCGI or Proxy modules (requisite if it's to be used with a PHP application such as phpBB) then X-Accel-Redirect is supported out of the box.
        Hide
        bantu Andreas Fischer added a comment -

        It looks like we can support both, X-Sendfile and X-Accel-Redirect, but they have to be enabled manually. I think having a constant for each is the way to go, as the person enabling those options should really know what she's doing.

        We can also check $_SERVER['SERVER_SOFTWARE'] and display a warning in the ACP, but that makes only limited sense, since 'SERVER_SOFTWARE' might be absent.

        Show
        bantu Andreas Fischer added a comment - It looks like we can support both, X-Sendfile and X-Accel-Redirect, but they have to be enabled manually. I think having a constant for each is the way to go, as the person enabling those options should really know what she's doing. We can also check $_SERVER ['SERVER_SOFTWARE'] and display a warning in the ACP, but that makes only limited sense, since 'SERVER_SOFTWARE' might be absent.
        Hide
        bantu Andreas Fischer added a comment -

        Proposing patch.

        Show
        bantu Andreas Fischer added a comment - Proposing patch.
        Hide
        koios koios added a comment -

        Thanks for this patch. I adapted it to a 3.0.8 install and X-Accel-Redirect works like a charm.

        Show
        koios koios added a comment - Thanks for this patch. I adapted it to a 3.0.8 install and X-Accel-Redirect works like a charm.

          People

          • Assignee:
            bantu Andreas Fischer
            Reporter:
            koios koios
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development